Disable Java NOW, users told, as 0-day exploit hits webA new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild – and because of Oracle's Java patch schedule, it may be some time before a fix becomes widely available.

I guess the only true sandbox is your OS, maybe people need to run their browsers inside a virtual os (vmware, virtualbox) to be "safe".

No such luck...

There are already virii that hijack guest OSes, for example, through VMware.

There are already virii that hijack the current OS and virtualize it, to stay under the radar of anti-virus software.

Thats crazy.

However I am absolutely convinced that developing a perfect sandbox IS possible.I have looked at a lot of console design/architecture, primarily XBox, XBox 360 and PS3 - which is very related, because trying to keep people from hacking the consoles is a similar problem to keeping sandboxes secure.

What I'm certain is that, you need to keep the code minimal, very robust, test it throughly... only really required stuff; try to hack it; use principle of least privilege...

I'm very excited to see PS4 and XBox 720 in this regard...Although I generally dislike Microsoft, XBox 360 has a very good architecture

I think also that one of the main problems with sandbox design like these are, basically old codebases: either legacy-code, or new code combined with legacy code... Only designing it from scratch would be secure

Yep. I've heard "Java isn't used for anything, you should disable it" or "Java isn't secure" and other things along that line. For me, the number of websites using Java applets outnumber Flash embeds by over two to one. (Ignoring Flash ads and websites that force the user to use a plugin to watch video.) The same people argue against disabling Silverlight, even though one can count the number of websites that use it on one hand. There's good reason to disable those types of things, including Flash, Java, Silverlight, and definitely Javascript, but that type of discussion revolves around which one has the better brand image.

With current hardware and OS i don't think you can do a "perfect sandbox". Fact is that modern computers are total crap when it comes to security, and no amount of dressing on the top can change that fundamental fact. Security is hard to get right. Its even harder to slap it onto things that where not designed with security in the first place.

I have no special talents. I am only passionately curious.--Albert Einstein

Its all pointless anyway. No matter how many holes are plugged in software, the biggest security hole is still floating between the keyboard and the chair. Its not the tiny cracks in a piece of software the provide the most misery, its the keyloggers installed on so many systems of oblivious users that are the real deal. They don't go away by pointing a finger at others.

The above security issue is pretty serious, trivial to exploits (even by java noobs) and works crossplatform, as the source code of a working example shows here.

Sadly even if the above is fixed there are probably tons more yet undiscovered ways to do the above. Just looking at the list of critical Java security bugs fixed in the last few years there have literally been hundreds of similar ones.

A majority of these exploits (including the above) simply find various crafty ways to replace the default applet/JWS security manager, e.g. System.setSecurityManager(null).

Simply making it impossible in the VM to replace the default Security manager (even with elevated permissions) when running as applet or JWS should make it more difficult to beat the sandbox and reduce some of the problems.

The Java plugin is currently a major attack vector (much more so than Flash ever was) and is being rightly criticised. If Oracle are serious or care about continuing to have a Java plugin they need to take some radical action to secure it down (likely even more browsers will block it by default). Plus it doesn't help that Oracle are completely silent (seeming they are doing nothing) even though almost every security/tech site out there is currently bashing it.

The Java plugin is currently a major attack vector (much more so than Flash ever was) and is being rightly criticised. If Oracle are serious or care about continuing to have a Java plugin they need to take some radical action to secure it down. Plus it doesn't help that Oracle are completely silent (seeming they are doing nothing) even though almost every security/tech site out there is currently bashing it.

Actually they have, there have been so many harsh security fixes done to for example the applet core that plenty of applications just failed to work after a certain update. Now they get pissed on by both the developers AND the so called security experts

I agree that Oracle keeping silent is really highly annoying. You just don't know what is going on behind those towering walls of theirs.

Just got an email at work about this one. It's the first they've ever sent out a mass-distribution email about a Java security problem. Amazingly, they did not tell us to disable Java in our browsers, but rather to just not install new stuff from the web, and not visit web sites we did not already know and trust.

Just got an email at work about this one. It's the first they've ever sent out a mass-distribution email about a Java security problem. Amazingly, they did not tell us to disable Java in our browsers, but rather to just not install new stuff from the web, and not visit web sites we did not already know and trust.

That's terrible advice. No one can possibly know what sites can actually be "trusted" and you still have to worry about ads and invisible third party code.

Assuming that level of competence, you probably have a huge list of addresses in the CC field. Why not send your personal warning+advice to your coworkers? (remember to spoof both the MAIL FROM * and From: * SMTP fields.)

Hi, appreciate more people! Σ ♥ = ¾Learn how to award medals... and work your way up the social rankings!

For the average user (the kind that visit any website it can find and would get viruses within a day if it wasn't for the virus scanner) it's probably good advice to disable java in the browser.Sadly, Oracle seems to be perfectly happy with that.

Just got an email at work about this one. It's the first they've ever sent out a mass-distribution email about a Java security problem. Amazingly, they did not tell us to disable Java in our browsers, but rather to just not install new stuff from the web, and not visit web sites we did not already know and trust.

That's terrible advice. No one can possibly know what sites can actually be "trusted" and you still have to worry about ads and invisible third party code.

Woo Click-to-Play on plugins One of the features I love in Google Chrome.

java-gaming.org is not responsible for the content posted by its members, including references to external websites,
and other references that may or may not have a relation with our primarily
gaming and game production oriented community.
inquiries and complaints can be sent via email to the info‑account of the
company managing the website of java‑gaming.org